SandroL Posted August 29, 2018 Share Posted August 29, 2018 Hi, i'm evaluating the usage of passwordstate for the company i'm working for and one of the main criteria is the webapi. I'm connectiong to the api with a python script and i have found three issues that i think could be bugs, and one is a showstopper for us. 1. The searchpasswords function in combination with a passwordlist-id and username seems to be broken Examplecode: headers = { 'APIKey': apiKey } uri = 'https://ourvault.ourtld/api/searchpasswords/'+str(passwordlist['PasswordListID'])+"?username="+user response = requests.get(uri, headers=headers, verify=False) print(uri) print() print(response.status_code) print() print(response.headers) print() print(response.content) Results: URI: https://ourvault.ourtld/api/searchpasswords/26?username=root Returncode: 500 Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Wed, 29 Aug 2018 09:18:31 GMT'} Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]' api/passwords/26?QueryAll is working fine, so it seems it's the searchpasswords function. 2. Inserting hosts is working, but returns an error Examplecode: data = json.loads(parameters) data['HostName'] = hostname data['HostType'] = "Linux" data['APIKey'] = apiKey print(data) print() uri = 'https://ourvault.ourtld/api/hosts' response = requests.post(uri, data=data, verify=False) print(uri) print() print(response.status_code) print() print(response.headers) print() print(response.content) Results: POSTDATA: {'HostType': 'Linux', 'OperatingSystem': 'Ubuntu', 'RemoteConnectionType': 'SSH', 'RemoteConnectionPortNumber': '22', 'InternalIP': '192.168.1.57', 'MACAddress': '28-C2-DD-E2-52-0E', 'VirtualMachine': 'True', 'VirtualMachineType': 'VMware', 'HostName': 'testhost', 'APIKey': '49d65a2cb83e73f733a8d5f4cb26e94d'} URI: https://ourvault.ourtld/api/hosts Returncode: 500 Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Wed, 29 Aug 2018 09:30:12 GMT'} Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]' The host is getting inserted correctly, but the expected returnbody is broken. 3. The hostsearch function is broken Examplecode: headers = { 'APIKey': apiKey } uri ='https://ourvault.ourtld/api/hosts?HostName='+hostname response = requests.get(uri, headers=headers, verify=False) print(uri) print() print(response.status_code) print() print(response.headers) print() print(response.content) Results: URI: https://ourvault.ourtld/api/hosts?HostName=testhost Returncode: 500 Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Wed, 29 Aug 2018 09:21:38 GMT'} Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]' The examplehost "testhost" exists in our passwordstate instance. Also strange is that in the Apidocs, the GET function for hosts is declared as "GET /api/hosts", but all the search examples are for the path "/winapi/hosts/" Other functions like creating folders, passwordlists and passwords are working witout any problems. Link to comment Share on other sites More sharing options...
support Posted August 30, 2018 Share Posted August 30, 2018 Hi Sandro, Sorry you're having some issues. We don't have any python experience unfortunately, so hopefully someone else from the community can help if it's a syntax issue. For the searching of passwords, I could not reproduce your issue in PowerShell. Can you try the following in PowerShell and see if that works for you (Replace your API Key as appropriate): Invoke-Restmethod -Method GET -Uri 'https ://o urvault.ourtld/api/searchpasswords/26?user name=ro ot' -Header @{ "APIKey" = "8e796d2b543fac8f57b23cae49d6fc58" } And we think you have helped us find a bug with relation to querying Hosts records - which is also done when you Add a new host record. Could you contact us via our support page, and we will provide you an updated API to test with? Basically if the field DatabaseServerType is NULL in the database, this is causing the error. I've fixed this in the next release, but can provide you an updated API now if you need to continue on with your evaluation. Regards Click Studios Link to comment Share on other sites More sharing options...
SandroL Posted August 30, 2018 Author Share Posted August 30, 2018 - I'm getting the same error in powershell too for the searchpasswords function (see screenshots). - A new api would not be necessary for the query host problem when it'll be patched in the next version. When do you expect the next releasedate for the bugfixed version? Best regards Sandro Link to comment Share on other sites More sharing options...
support Posted August 31, 2018 Share Posted August 31, 2018 Hi Sandro, We've released build 8455 today, which fixes the issues in the API with regards to Host records. Can you please use one of the upgrade methods outlined in this document - https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions_From_V5.pdf I've just tested your 'searchpasswords' API query again in build 8455, and it appears to be working fine for me. Can you let us know if you still have issues with this call also after upgrading? Thanks very much. Regards Click Studios Link to comment Share on other sites More sharing options...
support Posted September 3, 2018 Share Posted September 3, 2018 Hi Sandro, With your help, we've been able to figure out the issue with SearchPasswords. If you upgrade to build 8459, this should fix it for you. Thanks again. Regards Click Studios Link to comment Share on other sites More sharing options...
SandroL Posted September 3, 2018 Author Share Posted September 3, 2018 Hi, bugs 2 and 3 are fixed (host api), but bug 1 (searchpasswords) persists in build 8459. Here is my code: headers = { 'APIKey': apiKey } uri = "https://ourvault.ourtld/api/searchpasswords/"+str(passwordlist['PasswordListID'])+"?username="+user response = requests.get(uri, headers=headers, verify=False) print(uri) print() print(response.status_code) print() print(response.headers) print() print(response.content) Results: URI: https://ourvault.ourtld/api/searchpasswords/59?username=root Returncode: 500 Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Length': '120', 'Content-Type': 'text/plain; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Mon, 03 Sep 2018 11:37:14 GMT'} Returnbody: b'[{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]' Here the api/passwords QueryAll to compare: headers = { 'APIKey': apiKey } uri = "https://ourvault.ourtld/api/passwords/"+str(passwordlist['PasswordListID'])+"?QueryAll" response = requests.get(uri, headers=headers, verify=False) print(uri) print() print(response.status_code) print() print(response.headers) print() print(response.content) URI: https://ourvault.ourtld/api/passwords/59?QueryAll Returncode: 200 Returnheader: {'Cache-Control': 'no-cache,max-age=0, no-cache, must-revalidate', 'Pragma': 'no-cache,no-cache', 'Content-Type': 'application/json; charset=utf-8', 'Expires': '-1,Thu, 01 Jan 1970 00:00:00 GMT', 'Server': 'Microsoft-IIS/8.5', 'Strict-Transport-Security': 'max-age=31536000', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'X-UA-Compatible': 'IE=edge', 'Date': 'Mon, 03 Sep 2018 11:37:14 GMT', 'Content-Length': '412'} Returnbody: b'[{"PasswordID":13,"Title":"ssh","Domain":"","HostName":"testhost","UserName":"root","Description":"","GenericField1":"","GenericField2":"","GenericField3":"","GenericField4":"","GenericField5":"","GenericField6":"","GenericField7":"","GenericField8":"","GenericField9":"","GenericField10":"","AccountTypeID":0,"Notes":"","URL":"","Password":"XXXXXX","ExpiryDate":"","AllowExport":true,"AccountType":""}]' Link to comment Share on other sites More sharing options...
support Posted September 4, 2018 Share Posted September 4, 2018 Hello, There must be something else causing this now, as I cannot replicate this issue - I'm using the format below, and this seems to be working for me: Invoke-Restmethod -Method GET -Uri 'https://passwordstatetest.domain.com/api/searchpasswords/183?username=root' -Header @{ "APIKey" = "b2a57c34fe96d8f36a89c25eb47d4b6c" } The previous issue that I was able to reproduce was caused by not having a System Wide API Key specified on the screen Administration -> System Settings -> API tab. I don't think it will help, but can you try creating one, then restart IIS, and see if that makes any difference? Regards Click Studios Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now